Risk | Low |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2019-6187 |
CWE-ID | CWE-94 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Lenovo XClarity Controller (XCC) Hardware solutions / Firmware |
Vendor | Lenovo |
Security Bulletin
This security bulletin contains one low risk vulnerability.
EUVDB-ID: #VU22865
Risk: Low
CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-6187
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a local user to inject arbitrary code into CSV files.
The vulnerability exists due to insufficient sanitization of user-supplied data when constructing CSV files. A local administrator can store malformed data in certain XCC server informational fields, that could result in crafted formulas being stored in an exported CSV file.
Successful exploitation of this vulnerability may allow a local administrator to execute arbitrary code and compromise of vulnerable system.
MitigationProduct | Minimum Fix Version | Download Link | Status Last Updated |
ThinkAgile HX series, Machine Types: 7X82, 7Y88, 7Z03 | TEI392M | https://datacentersupport.lenovo.com/downloads/DS542158 | 2019-11-19 |
ThinkAgile HX Series, Machine Types: 7X83,YX84,7Y89,7Y90,7Z04,7Z05,7Z06,7Z07 | CDI340M | https://datacentersupport.lenovo.com/downloads/DS542159 | 2019-11-19 |
ThinkAgile MX Certified Nodes, Machine Types: 7Z20,7D1H | CDI340M | https://datacentersupport.lenovo.com/downloads/DS542159 | 2019-11-19 |
ThinkAgile VX series, Machine Types: 7Y11, 7Y12, 7Y92 | TEI392M | https://datacentersupport.lenovo.com/downloads/DS542158 | 2019-11-19 |
ThinkAgile VX Series, Machine Types: 7Y13,7Y14,7Y93,7Y94 | CDI340M | https://datacentersupport.lenovo.com/downloads/DS542159 | 2019-11-19 |
ThinkSystem SD530, Machine Types: 7X21 | TEI392M | https://datacentersupport.lenovo.com/downloads/DS542158 | 2019-11-19 |
ThinkSystem SD650 DWC Dual Node Tray, Machine Types: 7X58 | TEI392M | https://datacentersupport.lenovo.com/downloads/DS542158 | 2019-11-19 |
ThinkSystem SN550, Machine Types: 7X16 | TEI392M | https://datacentersupport.lenovo.com/downloads/DS542158 | 2019-11-19 |
ThinkSystem SN850, Machine Types: 7X15 | TEI392M | https://datacentersupport.lenovo.com/downloads/DS542158 | 2019-11-19 |
ThinkSystem SR150 / SR158, Machine Types: 7Y54,7Y55 | TEI392M | https://datacentersupport.lenovo.com/downloads/DS542158 | 2019-11-19 |
ThinkSystem SR250/SR258, Machine Types: 7Y51,7Y52,7Y72,7Y73,7Y53 | TEI392M | https://datacentersupport.lenovo.com/downloads/DS542158 | 2019-11-19 |
ThinkSystem SR530, Machine Types: 7X07,7X08 | CDI340M | https://datacentersupport.lenovo.com/downloads/DS542159 | 2019-11-19 |
ThinkSystem SR550, Machine Types: 7X03,7X04 | CDI340M | https://datacentersupport.lenovo.com/downloads/DS542159 | 2019-11-19 |
ThinkSystem SR570, Machine Types: 7Y02,7Y03 | CDI340M | https://datacentersupport.lenovo.com/downloads/DS542159 | 2019-11-19 |
ThinkSystem SR590, Machine Types: 7X98,7X99 | CDI340M | https://datacentersupport.lenovo.com/downloads/DS542159 | 2019-11-19 |
ThinkSystem SR630, Machine Types: 7X01,7X02 | CDI340M | https://datacentersupport.lenovo.com/downloads/DS542159 | 2019-11-19 |
ThinkSystem SR650, Machine Types: 7X05,7X06 | CDI340M | https://datacentersupport.lenovo.com/downloads/DS542159 | 2019-11-19 |
ThinkSystem SR670 Server, Machine Types: 7Y36, 7Y37, 7Y38 | G1I312 | https://datacentersupport.lenovo.com/downloads/DS542157 | 2019-11-19 |
ThinkSystem SR850, Machine Types: 7X18, 7X19 | TEI392M | https://datacentersupport.lenovo.com/downloads/DS542158 | 2019-11-19 |
ThinkSystem SR860, Machine Types: 7X69, 7X70 | TEI392M | https://datacentersupport.lenovo.com/downloads/DS542158 | 2019-11-19 |
ThinkSystem SR950 Server, Machine Types: 7X11,7X12,7X13,7Y95,7Y96,7Z08,7Z09 | PSI328M | https://datacentersupport.lenovo.com/downloads/DS542206 | 2019-11-19 |
ThinkSystem ST250/ST258, Machine Types: 7Y45,7Y46,7Y47 | TEI392M | https://datacentersupport.lenovo.com/downloads/DS542158 | 2019-11-19 |
ThinkSystem ST550, Machine Types: 7X09,7X10 | CDI340M | https://datacentersupport.lenovo.com/downloads/DS542159 | 2019-11-19 |
ThinkSystem ST558, Machine Types: 7Y15,7Y16 | CDI340M | https://datacentersupport.lenovo.com/downloads/DS542159 | 2019-11-19 |
Lenovo XClarity Controller (XCC): 1.02 - 2.85
External linkshttp://support.lenovo.com/solutions/LEN-29118
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.